8.1 Overview of Web Service Application Migration

To migrate Web service applications independently between environments, such as from test to production, or in a scaled clustered environment, you must export the policies and the deployment configuration information to the new environment so that you can deploy the application. Depending on your configuration, you may also need to migrate policy configuration artifacts and policy assertion templates.

A deployment descriptor is an XML file that contains the basic deployment configuration for an application. For WebLogic Server and Java EE Web services applications, you create a deployment plan that contains the necessary deployment descriptors for deploying the application in a new environment.

For ADF Business Components, however, run-time policy changes are persisted in proprietary deployment descriptor (PDD) files: oracle-webservices.xml and oracle-webservices-client.xml. Because these files are not included in the WebLogic deployment plan or exported with any other deployment descriptors, you must export and import these PDD files separately. You must also export and import these PDD files separately if you are scaling your application in a clustered environment.

For a SOA composite, Web services and Oracle WSM configurations are persisted in a composite.xml file which is included in a configuration plan used for deployment configuration. The SOA framework provides its own mechanism for composite services and configuration lifecycle and synchronizations.

The general steps for migrating a Web service application from a development or test environment to a production environment are as follows:

Install and configure the production environment with the components that you need.

Migrate security information, such as users and groups, the identity and policy stores, and credentials. For more information, see "Migrating Policy Configuration".

Migrate policies and deployment configuration data as required. For more information, see "Migrating Policies". Modify any information that is specific to the new environment such as host name or ports.

8.3 Migrating Policies

You can export one or more user-created policies to an archive file using Fusion Middleware Control. You can then import the archive to move it to another repository.

Note:

Read-only documents, such as predefined policies and assertion templates, will not be imported or exported using either Fusion Middleware Control or WLST because they will already be present in the target environment.

For details about exporting and importing user-created policies using Fusion Middleware Control, refer to the following topics in Securing Web Services and Managing Policies with Oracle Web Services Manager:

8.4.1 Migrating Keystores

If you are using message protection policies, you need to migrate your keystores. To migrate keystores:

Manually copy your keystores to the new environment.

For Java SE applications, copy the keystore to a user-defined location. For Java EE applications, copy the keystore to the same directory as the jps-config.xml file, namely DOMAIN_HOME/config/fmwconfig.

By default, the keystore is named default-keystore.jks. If you have renamed the keystore, you must configure the keystore name in the Oracle Platform Security Services keystore service instance.

8.4.2 Migrating Users and Groups

Users and groups are maintained as part of the WebLogic Server security realm.

To migrate users and groups in embedded LDAP, you can migrate the data using either the Oracle WebLogic Administration Console or WLST. For a complete description of the steps required, see "Migrating Security Data" in Administering Security for Oracle WebLogic Server.

To migrate users and groups in an LDAP store, there is no migration path. You need to recreate the users and groups and specify the assignments in the LDAP store in the new environment. See "Configuring Authentication Providers" in Administering Security for Oracle WebLogic Server.

8.4.3 Migrating Credentials

There are two types of credentials maintained in the credential store that you may need to migrate:

Username and password

Keystore and encryption key passwords

The migration steps are described in the sections below.

8.4.3.1 Migrating Username and Password

If users are stored in an embedded LDAP and migrated, as described in "Migrating Users and Groups", then you simply migrate the existing credentials to the new credential store. For a complete description of the steps required, see "Migrating Security Data" in Administering Security for Oracle WebLogic Server.

If users are stored in an LDAP store, there is no automated migration path. You need to recreate the credentials in the credential store. For more information about configuring credentials, see "Configuring the Credential Store" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

8.4.3.2 Migrating Keystores and Encryption Key Passwords

You can migrate keystores and encryption key passwords manually using the procedure described in "Migrating Credentials Manually" in "Deploying Secure Applications" in Securing Applications with Oracle Platform Security Services.

If your Web service uses authorization policies, you must migrate the Oracle Platform Security Services application and system policies that grant permissions. For more information, see "Migrating with the Script migrateSecurityStore" in "Configuring the OPSS Security Store" in Securing Applications with Oracle Platform Security Services.

8.4.5 Migrating Oracle Platform Security Services Configuration

There is no automated migration path for Oracle Platform Security Services configuration. You must recreate the configuration in the new environment.

There are three types of configurations in the Oracle Platform Security Services that you may need to recreate:

If you use the default configuration for keystores, then no migration is required. For information about configuring keystores in the new environment, see "Configuring Keystores for Message Protection" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

Keytab location and service principal name (applicable to Kerberos policy).

For information about configuring the keytab location and service principal name in the new environment, see the following topics in Securing Web Services and Managing Policies with Oracle Web Services Manager:

8.4.6 Migrating SSL

There is no automated migration path for SSL configuration. You must configure SSL keystores and settings in the new environment. For more information about configuring SSL keystores and settings in the new environment, see "Configuring Keystores for SSL" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

8.4.7 Migrating Kerberos Configuration

To migrate the Kerberos configuration:

Copy the Kerberos configuration file to the new environment, matching the directory structure. The Kerberos configuration file is located in the following locations, based on your operating system:

8.5 Migrating Assertion Templates

You can export individual assertion templates from Oracle Enterprise Manager Fusion Middleware Control. You can then copy the policy to a directory or import the policy to move it to another repository.